A decryptor for the Planetary Ransomware family was released by Emsisoft this week that allows victims to decrypt their files for free. This ransomware family is named Planetary because it commonly uses the names of planets for the extensions added to encrypted file’s names.
When encrypting files it will append the .mira, .yum, .Pluto, or .Neptune extension to a an encrypted file’s name. For example, if a file called test.jpg was encrypted, it would be renamed to test.jpg.Pluto.
The latest variant appends the .mira extension, which is named after the fictitious planet from the Xenoblade video game.
In order to decrypt your files for free, you will need to make sure that you have a copy of the ransom note created when you were infected.
The ransom note is named !!!READ_IT!!!.txt and is located in each folder that had files that were encrypted and on the desktop.
Decrypting the Planetary Ransomware
If you were infected with the Planetary Ransomware and still have the encrypted files and a ransom note, simply download the decrypt_Planetary.exe program from the following link and save it on your desktop:
Once downloaded, run the program with administrative privileges in order to decrypt all the files that were targeted by the ransomware. Once started, you will be at the bruteforcer screen where it asks you to select a ransom note.
Browse and select a ransom note and then click on the Start button.
The decryptor will then display the decryption key that was found as shown below.
You can now press the OK button to load the key into the decryptor.
The main decryptor screen will now be displayed and you should add any drives that contain files you wish to decrypt.
Once ready, click on the Decrypt button to begin the decryption process. The decryptor will now search the computer for encrypted files that end with the .mira, .yum, .Pluto, or .Neptune extension and automatically decrypt them.
When it has finished, the Results tab will state Finished and all of your files should now be decrypted.